WebCookies.info provides free audit of web cookies used by a website. See how websites are tracking user activities using web cookies, obtain an easy to understand cookie usage summary and find out about compliance with new EU privacy law. No additional software installation is required.

Terms of the Service

The information on this web site should not be treated as legal
advice. It is provided on an "as is" basis and without warranty of any
kind, either expressed or implied, including, but not limited to, the
implied warranties of merchantability and fitness for a particular
purpose. The entire risk as to the quality of the obtained information
is with you.

What are web cookies?

In technical terms web cookie (RFC 6265) is a small
piece of text that a website stores on you browser, in the background,
while it is loading the page. In HTTP
protocol server uses Set-Cookie header to set cookie in a browser. The browser then sends
the
cookie back to the website using Cookie
header.

Cookies were introduced because websites handle thousands of clients
at each moment and have no way to distinguish your network
connection from the multitude of other users' connections. This would
make any multi-step or transactional operations impossible. So on the
first connection website assigns you a random identifier (a cookie),
which your browser reflects with each future connection. This way the
website can distinguish your connection from the others. This is just
the simplest example — in reality cookies can be used for numerous
other purposes that share the same goal — uniquely identify
a client to the website.

What types of cookies are used?

From privacy and compliance point of view there are three main
types of cookies:

Session cookies — used for purely
technical purposes, like storing your session over multi-step
processes etc. These cookies are usually considered harmless (and it
doesn't necessarily mean that the others are harmful). These
cookies are usually forgotten when your browser is closed.

Permanent cookies — allow the website
to recall your preferences or presence for longer time. This can be
used to keep things like your color preferences but also identify you
as a returning customer, that has purchased X, Y and Z in the past,
even if you did not register. These cookies can be
stored in your browser for months or years.

Third party cookies — these can be set
by ExampleBookstore.com, but with instructions to send them also to
ExampleAdvertising.com, a completely separate company. If you
searched for pizza books, and then go to ExampleFoods.com the latter
will display pizza components in the first place, because the
advertising company they both use told it so. These
cookies cause most controversies, especially that they are usually permanent
at the same time.

Do I have to publish a cookies report for my website?

If your website or business is based in the European Union then yes. The extent
of the information depends on the interpretation of the EU law, but in most cases this needs to be
a list of cookies your website sets with a brief description of their purpose.

You can start with the cookies report provided by WebCookies.org and then add the
informative and legal content specific to your website. British International Chamber of Commerce
published a guidance document ICC UK Cookie guide that comes
very handy for writing the legal part.

Why do people worry about web cookies?

There are two main reasons why people are concerned about web cookies:

End-users are concerned because they feel that cookies can be
used to track their activities on the web (behavioral
profiling). For example, if you search for "Camels" today on your
favorite search engine, you might continue to see cigarette related
advertisements on other, unrelated websites for the next month or so.
It's the profiling network that worked here and decided that you
might be interested in cigarette ads. In more sophisticated, future
schemes you might get a higher health insurance premium once the
network becomes suspicious that you're smoker :)

Because of these concerns European Union has enacted new law
regulating storage of data on consumer devices. The
scope of this directive is rather wide and it is not
limited to classic HTTP cookies but any kind of data (see Evecookies
below). As result, if you are a website owner in Europe, you just
became a "data controller" and as such should comply with a number of
regulations related to cookies.

What about the "EU Cookie Directive"

European Directive 2009/136/EC (more on Wikipedia
and
Directive itself) has much
wider scope. It doesn't actually regulate "cookies" in specific,
technical meaning. This is what the Directive says:

Member States shall ensure that the storing of
information, or the gaining of access to information already stored,
in the terminal equipment of a subscriber or user is only allowed on
condition that the subscriber or user concerned has
given his or her consent, having been provided with clear
and comprehensive information, in accordance with Directive 95/46/EC,
inter alia, about the purposes of the processing. This shall not
prevent any technical storage or access for the sole purpose of
carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the
provider of an information society service explicitly requested by the
subscriber or user to provide the service.

There's also paragraph in the preamble (non-binding but setting
context):

Third parties may wish to store information on the equipment of a
user, or gain access to information already stored, for a number of
purposes, ranging from the legitimate (such as certain types of
cookies) to those involving unwarranted intrusion into the private
sphere (such as spyware or viruses). It is therefore of paramount
importance that users be provided with clear and comprehensive
information when engaging in any activity which could result in such
storage or gaining of access. The methods of
providing information and offering the right to refuse should be as
user-friendly as possible. Exceptions to the obligation to provide
information and offer the right to refuse should be limited to those
situations where the technical storage or access is strictly necessary
for the legitimate purpose of enabling the use of a specific service
explicitly requested by the subscriber or user. Where it is
technically possible and effective, in accordance with the relevant
provisions of Directive 95/46/EC, the user's consent
to processing may be expressed by using the appropriate settings of a
browser or other application. The enforcement of these requirements
should be made more effective by way of enhanced powers granted to the
relevant national authorities.

As you can see, the Directive does not prohibit use of cookies
— it only requires that end-users are fully informed about their
purpose and give their consent. With the latter being quite a
challenge if you actually try to implement it in real websites.

There was a lot of confusion and discussions on how
this should be actually implemented. One of the first countries in EU
to enact this law on national level was United Kingdom, and their
Information Commissioner's Office (ICO) decided to give a good example
and for some time it presented a very
literal approach, so to say, especially about the user's consent being
"prior" to website display.

As result, if you visited ICO website at that period a part of it was
covered by a rather annoying pop-up banner asking if you agree to
receive a cookie. If you did, the banner would disappear — and
your "yes" answer would be of course stored in a cookie. If you did
not agree, you'd see the annoying pop-up on each page of ICO's website
you'd browse, because the website has no way to remember that you
answered "no". Later on ICO has reverted their policy towards a more
liberal interpretation.

I have a website - how can I comply with the EU directive?

For most websites in most EU countries it should
be sufficient to provide a clear, easy to read information on what
cookies your site sets and what is their purpose (example on ICO website). To
do that, you need to actually know what cookies sets — and this
is where WebCookies.org helps a
bit. You can scan your website and use the obtained results as a
starting point to develop full documentation of cookies used.

In addition to that, there's one Directive and 27 Member Countries in
European Union to implement it, and each country took slightly
different approach. As result these local implementations
can substantially differ from each other. So if you need to be certain
about your compliance against the laws in your jurisdiction,
consult a technology lawyer.

Do you record all cookies that my website sets?

The short answer is: no. In some cases this service
will not be able to see and record all cookies used by a website.

First, WebCookies.org will load
the page as an anonymous user and will only receive cookies intended
for such users. It's quite common (and it's actually good security
practice) to set session cookies after the user has
authenticated — and these cookies we will not recorded.

Second, a website can display different cookies on different
pages. If you scan main page and then some other part of the website,
you may get different results. You need to understand technology used
to build different parts of your website to know which pages to test.

Third, we are currently recording only traditional cookies set using
HTTP
Set-Cookie
header. While this is what is most often meant by web cookies,
remember that the Directive talks about "storing information", not
only HTTP cookies. And there are some other ways to track users apart from
cookies. Data can be stored in similar way in other objects such as, Flash cookies,
HTML5 storage and other means collectively named Evercookie.
We are working on detecting those alternative storages.

Can I opt-out from tracking?

Network
Advertising Initiative Consumer Opt-out is a joint effort of ~100
advertising companies that offers a single interface for opting out
from their tracking. Note that activating opt-out
will actually set opt-out cookies in your browser.
These will be a special opt-out cookie for each compliant advertising
provider, so it's kind of "Catch 22" — you need a cookie to get
rid of a cookie. But it seems to work (at least for Google ads, which
was the only I actually tested)

WikiHow has
easy to follow instructions on how to view and
delete cookies in Microsoft Internet Explorer, Mozilla Firefox and
Google Chrome. Note that right after you delete your cookies,
websites will start setting them again and if you delete the opt-out
cookies mentioned above, your preference will be no longer passed to
ad companies.

Most recent browsers have a special "anonymous" browsing
mode. It's called Incognito
in Chrome, InPrivate
in MSIE and Private
browsing in Firefox. It's not really anonymous as websites will
still see your original network address, but your
browser will not store any permanent data, typically used by
Evercookies mentioned above.

If you don't like advertisements, you might consider ad-blocking
software such
as AdBlock. Please note however, that majority of your favourite
websites are alive only because they can pay their bills with ads, so the more people block ads, the
more — some of them will just disappear, some will only offer paid content.

Even ad-blocking software will no be able to prevent some forms of sophisticated tracking, such as
HTML canvas fingerprinting. Specialised add-ons such as NoScript for
Firefox can help here and are strongly recommended if you're concerned about your privacy. If you're
able to accept a slightly increased page loading times in exchange for high level of privacy,
you might try TOR Browser.

What is WebCookies/1.0 agent?

This site uses a script that emulates a web browser to render page for which people
wanted to check the cookies. The script uses the following User-Agent string:

WebCookies/1.0 (+http://webcookies.org/faq/#agent)

The script does not crawl the whole website, it just fetches a single page entered by
an user on WebCookies.org main page. The script renders JavaScript and
fetches images just like a standard browser, so you will see requests for JS, CSS and images.